[RADIATOR] 'No logon servers' access-reject problem

Heikki Vatiainen hvn at open.com.au
Mon Apr 8 14:42:29 UTC 2019

On 01/04/2019 15.34, lukas.bielinski at zv.fraunhofer.de wrote:

> Sat Mar 21 11:30:37 2019: WARNING: NTLM Could not authenticate user
> 'USER': No logon servers

> Sat Mar 21 11:30:37 2019: INFO: Accounting: User: USER AuthBy;
> authby-withoutrealm, OriginalUserName: USER, NAS-IP-Address:,
> NAS-Identifier: eduroam, NAS-Port: 0, Calling-Station-Id:
> AABBCC112233, Form-Station-Id: 11:22:33:AA:BB:CC, Result: 1, Result
> String: EAP MSCHAP-V2 Authentication failure

> This message is send as an 'access-reject' to the radsecproxy and
> client. Which is a legitim radius message for all network devices,
> even though this should not happen. At this point, the radsecproxy
> sees no reason to failover upcoming authentication-requests to the
> second radiator, which works fine with the DCs.

I can see why this is a problem. Unfortunately, currently the NTLM 
credentials check returns binary output: OK or not OK. There's no method 
to say "Can't tell".

I've been looking at this and while there are ways to make this work, it 
requires code changes and can not be solved with configuration only. The 
good part is, that at the same time, we could make the reason code 
available too.

Another thing currently is that while the a more detailed reason is 
logged in the debug log, it's not available in the authentication log.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list